Sunday, February 13, 2011

What have we learned from Conficker?

Conficker has been somewhat of a catalyst to help unify a large group of professional and academic whitehats

Conficker is the name applied to a sequence of malicious software. It initially exploited a flaw in Microsoft software, but has undergone significant evolution since then (versions A through E thus far).

Nearly from its inception, Conficker demonstrated just how effective a random scanning worm can take advantage of the huge worldwide pool of poorly managed and unpatched internet-accessible computers. Even on those occasions when patches are diligently produced, widely publicized, and auto-disseminated by operating system and application manufactures, Conficker demonstrates that millions of Internet-accessible machines may remain permanently vulnerable.

In some cases, even security-conscious environments may elect to forgo automated software patching, choosing to trade off vulnerability exposure for some perceived notion of platform stability.

Another lesson of Conficker is the ability of malware to manipulate the current facilities through which internet name space is governed. Dynamic domain generation algorithms (DGAs), along with fast flux (domain name lookups that translate to hundreds or thousands of potential IP addresses), are increasingly adopted by malware perpetrators as a retort to the growing efficiency with which whitehats were able to behead whole botnets by quickly identifying and removing their command and control sites and redirecting all bot client links.

While not an original concept, Conficker's DGA produced a new and unique struggle between Conficker's authors and the whitehat community, who fought for control of the daily sets of domains used as Conficker's internet rendezvous points.

Yet another lesson from the study of Conficker is the ominous sophistication with which modern malware is able to terminate, disable, reconfigure, or blackhole native OS and third-party security services..

Today's malware truly poses a comprehensive challenge to our legacy host-based security products, including Microsoft's own anti-malware and host recovery technologies. Conficker offers a nice illustration of the degree to which security vendors are challenged to not just hunt for malicious logic, but to defend their own availability, integrity, and the network connectivity vital to providing them a continual flow of the latest malware threat intelligence.

To address this concern, we may eventually need new OS services specifically designed to help third-party security applications maintain their foothold within the host.